Network accessibility problem

Network accessibility problem

[gerardo juarez-mondragon]

I have a Fedora Core 2 server running in a
network behind a firewall. I need access to ports
22 and 80 from outside but the firewall
administration is not under my control. I have
requested this access to be opened and the
administrator says it is already open, yet I
still cannot access it from outside.

I have run a few tests and this is what I found:

(Filtering tables are flushed with iptables -F,
on the server, prior to the tests)

I can ping to/from it from/to any place, whether
it is inside or outside the office.

I can ssh to it from any place *inside*, but not
 from outside. A ssh -v from a computer outside
succeeds up to the "entering event loop" message
(which means it has presumably connected but the
dialog does not proceed beyond this point).
Viceversa, attempting a ssh session past the
firewall results in an instantaneous 'Connection
refused' message. The same connection from
another computer succeeds, proving a ssh server
was indeed running at the other end.

telneting to port 80 produces this result:

Trying 207.284.xxx.yyy...
Connected to 207.248.xxx.yyy.
Escape character is '^]'.

when attempted from the (outside) ip authorized
to access the computer. Any other ip just gets to
the 'Trying...' line. This is correct and what
should be happening, yet a browser reports
'request sent' and proceeds no further when
pointed to the address. (The Apache installation
index page should be displayed).

The administrator argues that some 'service'
within my server is blocking packets, but I don't
know that SSH can be configured to restrict
access to specific ip segments. It can restrict
access to *accounts*. Nor that there is such a
service, except the firewall, whose tables I have
already flushed.

Am I missing something? What other tests do you
suggest?

Thanks,
Gerardo




Searching for the best free email?  Try MetaCrawler Mail, from the #1 metasearch service on the Web, http://www.metacrawler.com

Re: Network accessibility problem

[Glynn Clements]

gerardo juarez-mondragon wrote:

> Am I missing something? What other tests do you
> suggest?

Use a packet logger such as tcpdump or ethereal to observe what is
actually being sent and received.

-- 
Glynn Clements <glynn@gclements.plus.com>

Re: Network accessibility problem

[chuck gelm]

gerardo juarez-mondragon wrote:

>I have a Fedora Core 2 server running in a
>network behind a firewall. I need access to ports
>22 and 80 from outside but the firewall
>administration is not under my control. I have
>requested this access to be opened and the
>administrator says it is already open, yet I
>still cannot access it from outside.
>
>I have run a few tests and this is what I found:
>
>(Filtering tables are flushed with iptables -F,
>on the server, prior to the tests)
>
>I can ping to/from it from/to any place, whether
>it is inside or outside the office.
>
>I can ssh to it from any place *inside*, but not
> from outside. A ssh -v from a computer outside
>succeeds up to the "entering event loop" message
>(which means it has presumably connected but the
>dialog does not proceed beyond this point).
>Viceversa, attempting a ssh session past the
>firewall results in an instantaneous 'Connection
>refused' message. The same connection from
>another computer succeeds, proving a ssh server
>was indeed running at the other end.
>
>telneting to port 80 produces this result:
>
>Trying 207.284.xxx.yyy...
>Connected to 207.248.xxx.yyy.
>Escape character is '^]'.
>
>when attempted from the (outside) ip authorized
>to access the computer. Any other ip just gets to
>the 'Trying...' line. This is correct and what
>should be happening, yet a browser reports
>'request sent' and proceeds no further when
>pointed to the address. (The Apache installation
>index page should be displayed).
>
>The administrator argues that some 'service'
>within my server is blocking packets, but I don't
>know that SSH can be configured to restrict
>access to specific ip segments. It can restrict
>access to *accounts*. Nor that there is such a
>service, except the firewall, whose tables I have
>already flushed.
>
>Am I missing something? What other tests do you
>suggest?
>
>Thanks,
>Gerardo
>  
>

Dear Gerardo:

 You mention only trying one port (ssh:22) from the 'outside'
and that the ssh attempt failed.

 You did not mention that the 'Fedora Core 2 server" (FC2S)
has a routeable IP address.  What ports of the FC2S are
reachable from the outside?

HTH, Chuck

Re: Network accessibility problem

[Andreas P. Koenzen]

gerardo juarez-mondragon wrote:
> I have a Fedora Core 2 server running in a
> network behind a firewall. I need access to ports
> 22 and 80 from outside but the firewall
> administration is not under my control. I have
> requested this access to be opened and the
> administrator says it is already open, yet I
> still cannot access it from outside.
>
> I have run a few tests and this is what I found:
>
> (Filtering tables are flushed with iptables -F,
> on the server, prior to the tests)
>
> I can ping to/from it from/to any place, whether
> it is inside or outside the office.
>
> I can ssh to it from any place *inside*, but not
>  from outside. A ssh -v from a computer outside
> succeeds up to the "entering event loop" message
> (which means it has presumably connected but the
> dialog does not proceed beyond this point).
> Viceversa, attempting a ssh session past the
> firewall results in an instantaneous 'Connection
> refused' message. The same connection from
> another computer succeeds, proving a ssh server
> was indeed running at the other end.
>
> telneting to port 80 produces this result:
>
> Trying 207.284.xxx.yyy...
> Connected to 207.248.xxx.yyy.
> Escape character is '^]'.
>
> when attempted from the (outside) ip authorized
> to access the computer. Any other ip just gets to
> the 'Trying...' line. This is correct and what
> should be happening, yet a browser reports
> 'request sent' and proceeds no further when
> pointed to the address. (The Apache installation
> index page should be displayed).
>
> The administrator argues that some 'service'
> within my server is blocking packets, but I don't
> know that SSH can be configured to restrict
> access to specific ip segments. It can restrict
> access to *accounts*. Nor that there is such a
> service, except the firewall, whose tables I have
> already flushed.
>
> Am I missing something? What other tests do you
> suggest?
>
> Thanks,
> Gerardo
>
>
>
>
> Searching for the best free email?  Try MetaCrawler Mail, from the #1 metasearch service on the Web, http://www.metacrawler.com
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>   
Hello Gerardo...  
The problem that you are experience it's coming from the Servers' 
Iptables Rules, you really should check with your server Admin. Maybe 
the port 22 and 80 are block from connections coming from an IP outside 
the range of your local network. If you can log into a the server from 
within the network and not from outside it is probably a rule from 
Iptables blocking outside connections.

Saludos   
AKC

Re: Network accessibility problem

[level]

Am I missing something? What other tests do you
> suggest?
The first thing i'd do is to analyse apache logs. You should find 
something related to apache/httpd in /var/log. There is an error.log and 
an access.log. I would look into the error.log to see if it's somehow 
apache who's faulting.

Re: Network accessibility problem

[Opaschi Octav]

chuck gelm wrote:
> Dear Gerardo:
>
> You mention only trying one port (ssh:22) from the 'outside'
> and that the ssh attempt failed.
>
> You did not mention that the 'Fedora Core 2 server" (FC2S)
> has a routeable IP address.  What ports of the FC2S are
> reachable from the outside?
>
> HTH, Chuck
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
Chuck, I think that he metioned that only 22 and 80 are accesable from 
outside, but the 22 I doubt it.

Cheers